Mike Gabriel pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a2f5e984 by Mike Gabriel at 2018-12-06T08:09:00Z
[libav LTS triaging] Finish triaging 2016 issues for libav in jessie.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -101205,7 +101205,8 @@ CVE-2016-9821 (Integer overflow in
libavcodec/mpegvideo_parser.c in libav 11.8 a
NOTE:
https://git.libav.org/?p=libav.git;a=commit;h=15e1af0006354d6bbf0e433c5d1e8ef13c93d6d0
(pre 11.9)
CVE-2016-9820 (libavcodec/mpegvideo_motion.c in libav 11.8 allows remote
attackers to ...)
{DLA-791-1}
- - libav <removed> (unimportant)
+ - libav <removed>
+ [jessie] - libav <not-affected> (The fixing patches are included in the
upstream version)
NOTE:
https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer
NOTE:
https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=980
@@ -101213,7 +101214,8 @@ CVE-2016-9820 (libavcodec/mpegvideo_motion.c in libav
11.8 allows remote attacke
NOTE:
https://git.libav.org/?p=libav.git;a=commit;h=f106f74206e69e9056130da8bddffc39f3878ac3
(pre 11.9)
CVE-2016-9819 (libavcodec/mpegvideo.c in libav 11.8 allows remote attackers to
cause ...)
{DLA-791-1}
- - libav <removed> (unimportant)
+ - libav <removed>
+ [jessie] - libav <not-affected> (The fixing patches are included in the
upstream version)
NOTE:
https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer
NOTE:
https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=980
@@ -122672,7 +122674,8 @@ CVE-2016-5199 (An off by one error resulting in an
allocation of zero size in FF
- chromium-browser 44.0.2403.157-1
[wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy)
- ffmpeg 7:3.2-1
- - libav <undetermined>
+ - libav <removed>
+ [jessie] - libav <not-affected> (Vulnerable code not present)
NOTE: https://chromium-review.googlesource.com/383956
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/347cb14b7cba7560e53f4434b419b9d8800253e7
CVE-2016-5198 (V8 in Google Chrome prior to 54.0.2840.90 for Linux, and
54.0.2840.85 ...)
=====================================
data/dla-needed.txt
=====================================
@@ -65,6 +65,13 @@ libav (Markus Koschany, Mike Gabriel)
NOTE: 20181130: CVE-2016-10191: patch available, issue untested (no PoC),
vulnerable
NOTE: 20181130: CVE-2016-10192: vulnerable code not present (only in ffmpeg)
NOTE: 20181130: CVE-2016-5115: patch unavailable (needs revisiting), issue
reproducible, no-dsa (needs revisiting)
+ NOTE: 20181206: CVE-2016-5199: vulnerable code (QuickTime Metadata Keys
support) not present
+ NOTE: 20181206: CVE-2016-9819: fix included, PoC available (needs testing),
<not-affected>
+ NOTE: 20181206: CVE-2016-9820: fix included, PoC available (needs testing),
<not-affected>
+ NOTE: 20181206: CVE-2016-9823: no patch available, PoC available (needs
testing), currently <no-dsa>
+ NOTE: 20181206: CVE-2016-9824: no patch available, PoC available (needs
testing), currently <no-dsa>
+ NOTE: 20181206: CVE-2016-9825: no patch available, PoC available (needs
testing), currently <ignored>
+ NOTE: 20181206: CVE-2016-9826: no patch available, PoC available (needs
testing), currently <ignored>
--
libsndfile (Hugo Lefeuvre)
NOTE: 20181123: CVE-2018-19432 minor but several older CVEs triaged no-dsa
(such as CVE-2017-8361)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2f5e984c8c82c0a77e9acb750586fd6b76913f1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2f5e984c8c82c0a77e9acb750586fd6b76913f1
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
